Bug 30384 - sqlite3 new security issue CVE-2021-36690
Summary: sqlite3 new security issue CVE-2021-36690
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal minor
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2022-05-05 17:38 CEST by David Walser
Modified: 2022-05-12 12:26 CEST (History)
5 users (show)

See Also:
Source RPM: sqlite3-3.34.1-1.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-05 17:38:03 CEST
Ubuntu has issued an advisory today (May 5):
https://ubuntu.com/security/notices/USN-5403-1

The CVE is disputed and the issue only affects the sqlite3 command, not the library.  We probably don't need to push a fix for this right away (could possibly wait for more CVEs).
Comment 1 Nicolas Lécureuil 2022-05-05 22:25:17 CEST
Fixed in mga8:


src.rpm:
        - sqlite3-3.34.1-1.2.mga8

CC: (none) => mageia
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2022-05-05 23:22:11 CEST
sqlite3-tools-3.34.1-1.2.mga8
libsqlite3_0-3.34.1-1.2.mga8
libsqlite3-devel-3.34.1-1.2.mga8
lemon-3.34.1-1.2.mga8
sqlite3-tcl-3.34.1-1.2.mga8
libsqlite3-static-devel-3.34.1-1.2.mga8

from sqlite3-3.34.1-1.2.mga8.src.rpm
Comment 3 Herman Viaene 2022-05-10 14:04:23 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues.
Installed sqlitestudio alongside and used that to create a new database and create a new table in it with a PK, not null string, other sring without rules and a timestamp column. Populated a few rows, all worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-05-10 14:23:56 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Dave Hodgins 2022-05-12 00:06:23 CEST
Advisory committed to svn as ...
type: security
subject: Updated sqlite3 packages fix security vulnerability
CVE:
 - CVE-2021-36690
src:
  8:
   core:
     - sqlite3-3.34.1-1.2.mga8
description: |
  ** DISPUTED ** A segmentation fault can occur in the sqlite3.exe
  command-line component of SQLite 3.36.0 via the idxGetTableInfo function
  when there is a crafted SQL query. NOTE: the vendor disputes the relevance
  of this report because a sqlite3.exe user already has full privileges
  (e.g., is intentionally allowed to execute commands). This report does NOT
  imply any problem in the SQLite library.
  
  As the cve assignment is disputed, this update may be changed in future
  from a security update to a bugfix update.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30384
 - https://ubuntu.com/security/notices/USN-5403-1

CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-05-12 12:26:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.